This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

RSA SA ESA current_time

OwenCheng
Beginner
Beginner

‎2016-05-02 12:16 PM

I am new with EPSER. I am trying to create a ESA advanced rule to detect system configuration during trading hours

 

This is what I created, using "current_timestamp" function to see whether it is Mon-Fri 9am-5:59pm. While I save the rule, I got no validation error, but not able to sync the rule, with java error.

 

I want to know if this rule make sense and why it cannot be sync?

Please help.

 

thanks a lot

 

*********************************************************************************************************

      SELECT *, current_timestamp.getDayOfWeek() as var_dayofweek, current_timestamp.getHourofDay() as var_hourofday FROM Event(

            /* Statement: CiscoDeviceChange */

            (device_type IN ( 'ciscosecureacs' ) AND event_desc IN ( 'Changed configuration' ) AND var_dayofweek in (1,2,3,4,5) and var_hourofday in (9,10,11,12,13,14,15,16,17))

            OR

            /* Statement: NetscreenDeviceChange */

            (device_type IN ( 'netscreen' ) AND message LIKE '%System configuration saved%' AND var_dayofweek in (1,2,3,4,5) and var_hourofday in (9,10,11,12,13,14,15,16,17))

            OR

            /* Statement: WindowsDeviceChange */

            (device_type IN ( 'winevent_nic' ) AND event_cat_name IN ( 'Config.Changes.Modify' ) AND var_dayofweek in (1,2,3,4,5) and var_hourofday in (9,10,11,12,13,14,15,16,17))

           

        )

       

       

       

        ;

 

*********************************************************************************************************

0 Likes
7 REPLIES 7

DavidWaugh1
Employee
Employee

‎2016-05-06 07:38 AM

Hi Owen, Do you have a sample log message that you can attach to the discussion. I'd like to pass this through on my system and check what is happening.

 

Thanks

0 Likes

OwenCheng
Beginner
Beginner
In response to DavidWaugh1

‎2016-05-11 04:37 AM

I have changed the rules as follow for testing of the event_time statement, but still no luck

 

 

 

      SELECT * FROM Event(

            /* Statement: WindowsDeviceChange */

            (device_type IN ( 'winevent_nic' ) AND (event_time*1000).getHourOfDay()  in (9,10,11,12,13,14,15,16,17) AND (event_time*1000).getDayOfWeek() in (1,2,3,4,5))

           

        )

 

        ;

 

%NICWIN-4-Security_5156_Microsoft-Windows-Security-Auditing: Security,rn=78229200 cid=6380 eid=4,Wed May 11 08:23:52 2016,5156,Microsoft-Windows-Security-Auditing,,Audit Success,xyz.abc.local,Filtering Platform Connection,,The Windows Filtering Platform has permitted a connection. Application Information: Process ID: 4 Application Name: System Network Information: Direction: Inbound Source Address: 192.168.21.99 Source Port: 137 Destination Address: 192.168.23.123 Destination Port: 137 Protocol: 17 Filter Information: Filter Run-Time ID: 0 Layer Name: Receive/Accept Layer Run-Time ID: 44

0 Likes

BadalChandani
Beginner
Beginner

‎2016-09-21 05:43 AM

Hi Owen,

 

I have the same requirement, were you able to solve it?

0 Likes

AndrewOjha
Employee
Employee

‎2016-09-23 05:49 PM

This example EPL Rule will alert on successful logon activity between Mon - Fri, outside of 9-5 UTC - leveraging the time ESA ingests the data (noted by 'esa_time').

 

***************************************************************************************

@Name('Logon_Activity_Non_Biz_Hours_Alert')

@Description('This is a query to alert on successful auth during non-biz hours, between Mon - Fri')

@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(

ec_activity='Logon' AND ec_outcome ='Success'

AND (esa_time).getDayOfWeek  IN (2,3,4,5,6) // Monday to Friday

AND (esa_time).getHourOfDay NOT IN (9,10,11,12,13,14,15,16,17)) // 9:00 -17:00  UTC

 

***************************************************************************************

Explicitly stating which days / time to focus the query on, is one way to remove weekend days from the rule.

 

You could also explicitly specify:

 

AND (esa_time).getDayOfWeek  NOT IN (1,7) // Sunday and Saturday

***************************************************************************************

Reference Day Format

1

2

3

4

5

6

7

Sun

Mon

Tue

Wed

Thu

Fri

Sat

BadalChandani
Beginner
Beginner
In response to AndrewOjha

‎2016-09-24 04:01 AM

Thanks Andrew. Let me try that.

0 Likes

Anonymous
Not applicable
In response to BadalChandani

‎2016-09-29 04:30 PM

Hi Badal - 

 

Were you able to get esa_time working? In general we don't use Event_time since that's based on the time the original device created the message. Using event_time is problematic for us since we can be sure of quite a few factors around the accuracy of that time stamp. We use esa_time in many of our rule because, in general, we have a higher confidence in that value. 

 

Thanks!


Corey

0 Likes

BadalChandani
Beginner
Beginner
In response to Anonymous

‎2016-09-30 02:19 AM

Hi Corey,

 

Yes it is working fine now. Thanks for the support provided.

 

Regards,

Badal

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.